Posted
by
samzenpus
on Monday July 30, 2012 @01:15PM
from the noew-tool-for-the-box dept.

Gunkerty Jeb writes "Moxie Marlinspike, the security and privacy researcher known for his SSLStrip, Convergence and RedPhone tools, has released a new tool that can crack passwords used for some VPNs and wireless networks that rely on encryption using Microsoft's MS-CHAPv2 protocol. Marlinspike discussed the tool during a talk at DEF CON over the weekend, and it is available for download."

I think GP refers to the Gap series. Some names from that series: Angus Thermopyle, Orn Vorbuld, Milos Taverner. If you like dark SF, highly recommended. Some parts gave me the same feelings as "Alien".

If I remember correctly, he also developed Google-Sharing, a firefox extension to garble the data google collects on its users. Basically, all users with the extension share their tracks, which are fed to google to help confuse it. Futile, perhaps, but a great idea and an important concept no doubt. I dig the guy too.

Because surely if he didn't build them, nobody else ever would. The entire point is that he makes the vulnerabilities known, posts them publicly, and often (if not always) gives the manufacturer a chance to correct the issue FIRST.

PPTP is a type of VPN still used by some companies and included with windows...MS-CHAPv2 is the default / most common authentication option when using PPTP with windows. Thus organizations still using PPTP for remote access may be at risk.

For VPN use IPSEC, not PPTP, either with certificate-based outer tunnel, or with an outer tunnel using a PSK that you trust will not be compromised. The latter is near impossible in enterprise setups, so the certificate approach is superior, albeit harder to administer.

WPA2-PSK is insecure due to a separate issue entirely (see Firesheep).

For WPA2-Enterprise the MSCHAPv2 session is usually wrapped in a PEAP (SSL) session. This should be safe as long as your client is configured to validate the server-side certificate only against CAs that are not likely to be compromised (i.e. a rougue cert generated). Preferably, one should also validate the certificate's subject (usually the name of the RADIUS server). If this is not the case (and Apple makes this particularly hard, especially on the new Lion setup that requires an 802.1x profile generated by a Lion Server installation) then an MITM attack is possible, where someone pretends to be your AP+RADIUS, and since your client does not check the certificate they offer, it will happily start the MSCHAPv2 session with them, at which point the exchange becomes vulnerable to attempts to hijack it.

WPA2 using EAP-TLS with certificates is safe, but does not offer the ability to check user passwords, so it is usually only favored by institutions that do not worry too much about stolen equipment. (Given that everyone seems happy to let the OS remember their passwords, however, the added benefits of the password becomes dubious.) WPA2 with EAP-TTLS should be unaffected by any of this. The precautions about validating server certs remain relevant, however.

It is possible to configure WPA2-Enterprise with just a raw MSCHAPv2 exchange and no protective PEAP wrapper around it. That would be what the OP's tool is for. It would also be completely insane, and given many native clients do not support that, rather a lot of effort to invest in being insane.

WPA2-PSK is insecure due to a separate issue entirely (see Firesheep).

Citation needed.

---Not to be harsh, but WPA2-PSK has NOTHING to do with firesheep. JUST NOTHING.

Firesheep is a takover of a non SSL wrapped session. So, someone on a non-switched ethernet network can take-over a session. Same is true for any shared medium network, like wireless.However, since WPA2 uses weak individual session encryption you can perhaps determine the PWMK and then sniff all other sessions.

DES has been well known for vulnerabilities for some time. I don't know of many businesses using MS PPTP for remote VPN because it is usually cheaper and easier to just purchase licenses from their firewall / gateway vendor. Certainly no company with strong crypto needs such as HIPAA, PCI, and similar compliance are using anything but dedicated VPN appliances with AES or similar based encryption. Heck, most of those have moved to 2-factor authentication and are using at least TLS 1.0 / SSL 3.0 at layer 4

Actually, lots of companies still use MS PPTP precisely because it's cheaper and easier than the alternatives. MS PPTP server is built into RRAS, so it's free, and the client is built into every version of Windows since XP.

I've worked with more than one company that has wanted to actually return to using PPTP after bad experiences with IPSec client VPNs.

It's typically because the client software blows or isn't available on their platform or hasn't been updated for an OS rev change (we saw this with Vista/Win7).

Most of these were small shops that couldn't afford the freight on a dedicated VPN setup and were stuck with whatever their firewall would do. Cisco's IPSec implementation seems widely supported, but you have to be wi

I've had great success with shrewsoft [shrew.net] Has worked for me with a few different VPN vendors and it's available in 32 and 64 bit for a bunch of platforms. Works better for me than the CISCO client.

Odd, I've used Shrewsoft on a few vendor's firewalls and run into all manner of incompatibilities. I suppose once you figure out all the quirks for a given device, you would be solid to deploy elsewhere.

On the small scale, I would probably opt for an OpenVPN setup, perhaps on a VM hosted on the base server for insulation. It's easier to setup a fresh server and client than shrewsoft's client in my experience.

I know that security people who build these things get vexed whenever a vulnerability is posted in the wild along with a cracking mechanism, but so often in the past we have seen security researchers have the cops called on them for notifying companies in advance (as if they were a shakedown racket demanding money). And its either that, or they ignore the vulnerability researcher till the 'post in the wild'. Better to post right away, get it out in the open, and move on. Many companies behave identically

Very true (also true about sunlight being a great disinfectant, at least, if you are not trying to use it through UV blocking glass:)

I remember, what a decade ago? It used to be different. You used to see anouncements that said "This vulnerability was given to so and so on date X, they worked out a patch, now here is the full vulnerability". Or "This was sent on X date, it was ignored, They ignored several warnings, here it is".

Sure sometimes someone just released a vulnerability without any of this dilige

I was there and he answered this in his talk. There were hundreds of VPN services that still supported using it. He pointed out that iPredator (VPN service for the Pirate Bay) ONLY supports MS-CHAPv2. The ubiquity of use and support has created a loop where people keep using it (another point of his talk).

This isn't a new issue, certainly, but the likelihood of being attacked at the neighborhood coffee shop's WiFi was indistinguishable from zero. Now there's an off the shelf tool and cloud service made specifically to break through the security people have been using. This means that even someone who was doing security "correctly" (i.e. using a VPN on a public wifi network) is now at risk from having credentials stolen over the wire.

Other than giving Microsoft the finger, this doesn't seem like it's contr

When using DES or a similar broken algorithm to secure communications you subject yourself to the the weaknesses of that algorithm. DES has been broken since the advent of the Core 2 from Intel or the FX series from AMD. Basically as Moore's Law pushes computing power ever further it also obsoletes weaker encryption algorithms. This is true for all crypto systems that are based on the use of the Discrete Logarithim Problem; It's based on the fact that it's difficult to compute large prime numbers. (ie; NP-H

OK, so what does it cost to buy 12-24 hrs of time on this FPGA set? Their dictionary attack service is $17/20 minutes on commodity hardware. At that rate this attack would cost $25K and I care much less about it than if the attack costs $25.

Those eduroam sites that use MSCHAPv2 use PEAP-MSCHAPv2. You have to crack the PEAP before you can crack the MSCHAPv2.

Also, EAP_TTLS is allowed on eduroam -- as long as the clients are configured to match their home servers, eduroam can support multiple authentication schemes. The security is end-to-end between you and your home institution (for the authentication, that is, there is no security other than the over-the-air encryption for your data, so still use https and SSL on clients wherever possible.)

Having just implemented a PEAP-TLS (mutual-certificate based authentication), I can say that what I really want is a combination PEAP-TLS-MSCHAPv2 solution (which doesn't exist to my knowledge). I want mutual-certificate authentication (proving a "Corporate Issue" device which has a typical-end-user non-exportable private key is in use, effectively "something you have"', especially on encrypted drives with no user admin-access) wrapping around a MSCHAPv2 authentication of username/password pairs. While ce

Cisco's VPN client definitely has this in password form, where you have a group user/password plus additional username/password. It also has certificate authentication, but I don't know if it allows certificates to be used in place of passwords while retaining the group+user authentication though. The open-source vpnc client apparently does not support certificate authentication either.